这个问题可能已经被问过好几次了,但是根据我能找到的所有结果以及我的一点知识,我有点迷茫了。我正在使用 Fedora 29。
我尝试用 nginx 来做的事情:
- 使用一个 let's encrypt ssl 证书和多个域名
- 将每个域映射到特定的内部主机(配置文件中的 DNS 或 IP,我不介意,无论什么都可以)
- 所有主机都已在内部使用 SSL(无可用的 http - 多个监听端口)
- 如果你从外部使用 http,我希望重定向到 https
样本 :
应用程序.域名.com -->https://主机名1.域.local(或 IP 1)
测试.域名.com -->https://hostname2.domain.local:1234(或 IP2)
www.域名.com -->https://主机名3.域.local(或 IP 3)等等...
我该怎么做呢?Let's encrypt 自动为我配置了 nginx 配置,但这似乎有点太多了。
非常感谢您的回答,我觉得我取得了一些进展,即使目前没有工作。我在这里发布我的完整配置文件,因为我现在有一个“502 Bad Gateway”错误。IP 与反向代理不在同一子网中,但完全可访问,没有防火墙或路由问题。
知道我可以在哪里继续前进吗?在原始配置中,还有一个包含密码和协议的 certbot conf 文件。也许我需要重新包含它?
另外:我尝试访问的内部服务器具有使用我自己的 AD CS 签名的证书,但反向代理上没有安装根证书。也许我应该这样做?
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name scans.domain.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # managed by Certbot
location / {
proxy_pass https://192.168.XX.YY/;
}
}
}
答案1
为了让 NGINX 将多个域名解析为独立代理,您需要为所使用的每个域设置一个服务器块(是的,您需要include
LE 提供的服务器块):
server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname1.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name test.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname3.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name www.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname2.domain.local:1234/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
答案2
在您的 http.conf 配置中,您可以指定一条规则来重定向所有通过端口 80 的流量进行转发(与域无关):
server { listen 80; server_name _; return 301 https://$host$request_uri; }
如果您尝试转发 https > http,那么您还需要一个反向代理配置,如下所示:
server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/ssl/public/application.domain.com.combined; ssl_certificate_key /etc/ssl/private/application.domain.com.key; location / { proxy_pass http://hostname1.domain.local:80/; } }
请注意,您不一定需要将每个网站放在不同的端口上,nginx 知道根据域名向您的客户端提供什么内容。
问候,